Unable to login to vSphere Web Client using CAC authentication after enabling OCSP
search cancel

Unable to login to vSphere Web Client using CAC authentication after enabling OCSP

book

Article ID: 336207

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After configuring and enabling OCSP, logging into the vSphere Web Client using CAC card authentication fails with an error similar to the following:

"Unable to validate the submitted credential"

 

Environment

VMware vCenter Server 6.0.x

Resolution

To set alternate OCSP responder certificate with the option supported in 6.0 Update 3,

sso-config.sh -set_authn_policy -t vsphere.local -ocspUrl http://<CA-FQDN>/ocsp -ocspCert <path_to_ocsp_signing_ca_cert>.cer

In Windows:

  1. Access the directory

    cd <C:\Program Files\Vmware\vCenter Server\Vmware Identity Services\>

  2. Run the command

sso-config.bat

In Linux:

  1. Access the directory

    cd /opt/vmware/bin

  2. Run the command

sso-config.sh

For example:
sso-config.sh -set_authn_policy -t vsphere.local -ocspUrl http://<OSCPhostname>/ocsp -ocspCert ca_<hostname>_com.cer

 

Check authentication policy to see if the OCSP URL and certificates are properly set.

sso-config.sh -get_authn_policy -t vsphere.local

IsPasswordAuthEnabled: true
IsWindowsAuthEnabled: true
IsTLSClientCertAuthnEnabled: true
IsSecurIDAuthnEnabled: false
revocationCheckEnabled: true
useOCSP: true
sendOCSPNonce: false
useCRLAsFailOver: true
OCSPResponderSigningCert: CN=CA, DC=<DC>, DC=com
OCSPUrl: http://<OCSPhostname>/ocsp

useCertCRL: true
CRL CacheSize: 512
CRLUrl: UndefinedConfig
trustedCA: CN=<hostname>-CA, DC=<DC>, DC=com
trustedCA: CN=<hostname2>-CA, DC=<DC>, DC=<DC2>, DC=com

Additional Information

Powered by Wolken Software